# SSO Configuration

Link11 WAAP provides the ability to log in using SSO (single sign-on). Configuration varies depending on the type of SSO: Okta, Microsoft, or Google. ## Set up Okta SSO ### **Step 1: register on** [**Okta**](https://www.okta.com/)**, and create an application** Go to `https://{YOUR ACCOUNT}-admin.okta.com/admin/apps/active` Click `Create App Integration` → `Create New App`

#### **Set this attribute:** *Sign-in redirect URI*: `https://.app.reblaze.io/auth/okta-oauth2-/authorization-code/callback`

### **Step 2: Create group**

#### Example configs: For planet URL: `https://rbzdevexample.dev.app.reblaze.io/prod/sso-configuration` Redirect URI like: \ `https://rbzdevexample.dev.app.reblaze.io/auth/okta-oauth2-rbzdevexample.dev /authorization-code/callback` ### **Step 3: Add parameters to Link11** On the WAAP SSO page (**System** -> **SSO Configuration**):

Fill in the requested values. For `Issuer`, use your Okta account. For `IDP Group Claim`, use the group you created above in Step 2. ## Set up Microsoft Entra ID SSO ### **Step 1: Go to** [**Azure Portal**](https://azure.microsoft.com/en-us/account/) **→** `Enterprise applications` ### **Step 2. Create the application** Choose `+ New Application` → `+ Create your own application`**:** ![](https://2966474948-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FcxktceFryDnM5HLHONr8%2Fuploads%2FoAnt2IRq4bmcbGPtvNUb%2FSetup-Microsoft-Azure-SSO-1.png?alt=media\&token=130c770b-2f5d-4d59-9e9c-21951aaac2dc) ### **Step 3: Create the SSO app** Select `Integrate any other application you don't find in the gallery (Non-gallery)` ![](https://2966474948-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FcxktceFryDnM5HLHONr8%2Fuploads%2FqU6YwPAAh1kSlYTzi9FV%2FSetup-Microsoft-Azure-SSO-2.png?alt=media\&token=4bcb26ae-e1e6-45e6-abc0-01c0d2c74d51) ### **Step 4: Select SAML method** Go to `Single sign-on` section and choose `SAML`**:** ![](https://2966474948-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FcxktceFryDnM5HLHONr8%2Fuploads%2FXJkm9iggrNyBCs94mnd4%2FSetup-Microsoft-Azure-SSO-3.png?alt=media\&token=b0ed4275-9b81-4f4a-b70c-4b77b5a7a698) ### **Step 5: Set up appropriate links** Edit the `Basic SAML Configuration`: * Set Azure's `Identifier (Entity ID)` to `.app.reblaze.io.` Alternately, a unique identifier can be entered (e.g., `customer_domain.com?sso=123`), without any "https\://" prefix. In either case, save a copy of this value somewhere; it will be needed again later. * Set Azure's `Reply URL` to `https://.app.reblaze.io/auth/azure-saml2-/authorization-code/callback`

### Step 6: Add a user group claim Edit `user.groups`:

Click on **`+`**`Add a group claim`, and choose: * `All groups` * Source attribute: `Group ID` ![](https://2966474948-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FcxktceFryDnM5HLHONr8%2Fuploads%2FsWO9w1nCZoC1PzciZjhn%2FSetup-Microsoft-Azure-SSO-6.png?alt=media\&token=b81ee71a-8ae3-46d6-b205-51770e5df7de) ![](https://2966474948-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FcxktceFryDnM5HLHONr8%2Fuploads%2FHJV90Vi1zZLPFPitutQ6%2FSetup-Microsoft-Azure-SSO-7.png?alt=media\&token=3558632b-6df4-48c7-9d4e-4b0f6a47383a) ### **Step 7: Add a user as a member of the application:** ![](https://2966474948-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FcxktceFryDnM5HLHONr8%2Fuploads%2FJGXddjhOhKFAhxIXoxXX%2FSetup-Microsoft-Azure-SSO-8.png?alt=media\&token=cc22158e-6874-4a23-8017-51d6fd31a7f0) ### **Step 8: Get admin group ID** Go to `Azure Active Directory` → `Groups`, and create a group. ![](https://2966474948-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FcxktceFryDnM5HLHONr8%2Fuploads%2FNvIIG6YAtmINJN399FRg%2FSetup-Microsoft-Azure-SSO-9.png?alt=media\&token=60ad1200-c226-4d3f-ad01-ca75a0740a46) And assign a user to the group:

### Step 9: Get SAML 2 data for Reblaze From Azure's `Single sign-on` section, copy the `Entity ID` (entered during a previous step) and `Login URL`:

And from the Groups `Overview` section, copy the `Object Id`. This should be the same ID from Step 8.)

Add these parameters to the Reblaze SSO page. For Reblaze's `IDP group claim`, use Azure's `Object Id`.

## Set up Google SSO ### Step 1: Generate new OAuth credentials 1. Go to Google APIs & Services Credentials: 2. Click **Create Credentials** (shown below) -> **OAuth client ID**

### Step 2: Configure the new OAuth client ID 1. For **Application type**, select *Web application* 2. Specify a **Name** for this client ID. (This name is only shown in the Google Cloud console.) ### Step 3: Add authorized URIs Define the domains and endpoints used by your planet to communicate with the OAuth 2.0 server: * **Authorized JavaScript origins**: `https://.app.reblaze.io` * **Authorized redirect URIs**: `https://.app.reblaze.io/auth/google-oauth2-/authorization-code/callback`

### Step 4: Create and get credentials 1. When you are done with the above steps, select **Create**. The new client ID will be created and displayed to you. 2. Copy the credentials (client id + client secret) for use in the following steps below. ### Step 5: Enable the Admin SDK API 1. Navigate to [https://console.developers.google.com](https://console.developers.google.com/) 2. In the **APIs & Services** menu, select **Library** 3. Search for "Admin SDK API", and select the result. The Admin SDK page will appear. 4. Select **ENABLE** if it isn't already enabled.

### Step 6: Authorize the API client 1. Navigate to [admin.google.com](http://admin.google.com/) 2. Select **Security** -> **Settings** 3. At the bottom of the page, select **API access control** 4. Select **Domain wide delegation** -> **Manage domain wide delegation** 5. In the API Client section, select **Add New** 6. In the **Client Name** field, enter the client ID from Step 4 above. 7. In the **One or More API Scopes** field, enter this: `https://www.googleapis.com/auth/admin.directory.group.readonly` 8. Select **Authorize**

### Step 7: Configure Reblaze SSO Within the Reblaze console, go to the SSO page (**System** -> **SSO Configuration**). * **Enabled**: if not already "on", toggle it * **SSO login name**: choose a name for display within the console * **Provider:** select `google` * **OAuth2 Client id**: enter the client id obtained in Step 4 * **OAuth2 Client secret**: enter the client secret obtained in Step 4 * **Protocol**: select `oauth2` * **JWT token group property name**: select `email` ### Step 8: Map groups Every Reblaze user account has a role, with an Access Level that defines permissions. There are [four Access Levels](https://waap.docs.link11.com/console-walkthrough/users-management#user-parameters) available, with varying capabilities. When a user logs in via Google SSO, the system uses their Google Groups to determine which role they will have within Reblaze. In this step, you will define (if necessary) and connect Google groups to Reblaze roles. 1. Determine how many roles are being used within your planet. (Some organizations will use all four, while others might not.) 2. Navigate to . Consider the Groups that currently exist; would any map well to a Reblaze role? For each role that does not currently have an appropriate Google Group, select **Create Group** and define one. 3. Return to the Reblaze SSO Configuration page. For each role being used, create a group map with: * An **IDP Group Claim** containing the email associated with the corresponding Google Group * The **Reblaze role** 4. SSO configuration within Reblaze is now complete. User management now consists of ensuring that each user is a member of the appropriate Google Group. For example: a Google Group has been created for `editors@reblaze.com`, and within Reblaze, this email address is mapped to the role of `Editor`. Every user who should have Editor permissions can receive them merely by being added to the `editors@reblaze.com` Google Group.